CrushFTP Zero-Day (CVE-2025-54309) Actively Exploited via AS2 Flaw – Patch Now!

The CrushFTP service has encountered a newly discovered critical vulnerability, already being exploited in active attacks. Designated CVE-2025-54309 and assigned a CVSS severity score of 9.0, the flaw stems from improper handling of AS2 validation. This oversight allows threat actors to gain administrative access to the server via HTTPS—provided that a DMZ proxy is not in place.

CrushFTP reported that the first known exploitation of this vulnerability occurred on July 18, 2025. However, the team acknowledged that the flaw may have been leveraged earlier. Initially, developers patched a separate bug related to AS2, but attackers, noticing changes in the codebase, traced the update back to an older oversight and swiftly adapted it for a new wave of attacks.

CrushFTP is widely deployed in sectors where the secure transfer of sensitive data is paramount—government agencies, healthcare institutions, and large enterprises. Unauthorized access to its administrative interface poses a significant risk: attackers can exfiltrate files, install backdoors, and move laterally within corporate networks, exploiting the trust placed in CrushFTP as a secure file-sharing platform. Without proper DMZ isolation, the server becomes a critical weak point in the overall security architecture.

According to the company, the attackers were able to reconstruct the source code structure, uncovering the exploitable flaw believed to exist in CrushFTP versions released prior to July 1.

Indicators of compromise cited by the developers include:

• The default user account being granted administrative privileges;
• The appearance of unusually long and random usernames, such as: 7a0d26089ac528941bf8cb998d97f408m;
• Creation of additional accounts with administrative access;
• Recent modifications to the MainUsers/default/user.xml file, particularly in the last_logins field;
• Missing standard buttons in the web interface and ordinary users unexpectedly being able to log in as administrators.

Security professionals are advised to review the modification date of the user.xml file, correlate login events with IP addresses, audit access to critical directories, and scrutinize unusual activity logs—particularly those reflecting new user creation or privilege escalation.

As part of its mitigation strategy, CrushFTP recommends the following:

• Restore user configurations from a trusted backup;
• Review file upload and download logs for suspicious activity;
• Restrict administrative access to a limited set of IP addresses;
• Define a whitelist of trusted IPs permitted to connect to the server;
• Employ DMZ servers for corporate deployments;
• Enable automatic updates.

While the precise attack vector remains under investigation, similar incidents have been documented in the past. In April 2025, CVE-2025-31161 (CVSS 9.8) was exploited to deploy malware, including the MeshCentral agent. A year earlier, in 2024, CVE-2024-4040 was used to target several U.S.-based organizations.

Given the recurring exploitation of previously unknown critical flaws in CrushFTP, it is increasingly clear that this platform remains a high-value target in sophisticated and targeted cyber campaigns. Organizations must factor this into their threat assessments, emphasizing not only timely patching, but also rigorous control over third-party file-sharing tools and access privilege management.